[Samba] issue with multiple Samba DC and uid/gid assignment.

steve steve at steve-ss.com
Sun Aug 25 13:45:02 MDT 2013 

On Sun, 2013-08-25 at 17:03 +0100, Rowland Penny wrote:
> On 25/08/13 16:52, dahopkins at comcast.net wrote:
> >
> > > Hi, Where does Windows 2008R2 fit into this setup, is it in the same 
> > domain? is it the primary AD server?
> >
> > It is a member server in the same domain on which we ran ADUC. It was 
> > a member of the prior samba3/LDAP authentication system. I can now log 
> > back onto this server and launch ADUC. All three of the samba4 DC are 
> > listed in Domain Controllers. However, since adding nslcd/nscd to 
> > ncssamba2, the only DC I can connect to is ncssamba1.  When I try to 
> > select a different domain controller, I get "The list of Domain 
> > Controllers for domain ncs.k12.de.us is unavailable because: Access is 
> > Denied
> >
> > > I would suggest that you read Steve's site a bit more but this time 
> > about sssd.
> > > I would also suggest that you just use the Samba 4 DCs just for 
> > authentication and use the Samba fileservers to store the profiles 
> > etc. You would then not need anything but the basic Samba4  setup on 
> > the AD DCs.
> >
> > That is the goal except profiles/home directories were not be accessed 
> > correctly on the samba4 domain member servers which I am trying to 
> > resolve.
> >
> > I am still not clear if I should be installing nslcd on the AD DCs. 
> > And if I do, what is the correct setting setting for the following in 
> > nslcd.conf
> >
> > # The location at which the LDAP server(s) should be reachable.
> > uri ldap://ncssamba1.ncs.k12.de.us/
> >
> > Should this point to the local machine, e.g. ncssamba1 for nslcd 
> > running on ncssamba1, ncssamba2 for nslcd running on ncssamba2 or 
> > should it point to the same ldap server on all AD DCs?   I am willing 
> > to migrate from nslcd to sssd but need to understand what needs to be 
> > uninstalled/installed where before attempting it.
> >
> > Sincerely,
> > Dave Hopkins
> >
> >
> >
> If you just use the Samba 4 ADs for authentication, you do not need 
> anything else on them, you just need to add the relevant attributes 
> (uidNumber, gidNumber, homeDirectory,profilePath etc) to each user.
> You just need to set up samba on the fileservers to pull and use this 
> information.
> 
> If you use sssd to do this, you will use kerberos, so very little extra 
> needs to be added other than sssd, sssd-tools and krb5.
> 
> Rowland

Hi
The OP is running nscd. This must be disabled, otherwise wbinfo and
getent will always come from the cache. Any change to AD will not be
reflected until the cache is cleared. I'm almost certain that the issue
can be cured by disabling nscd
Cheers,
Steve

More information about the samba mailing list